Hello Giancarlo, Argh - rtfm - I tried to search on this topic but only in the OpenBSD FAQ. Thanks for pointig me to the right direction.
Kind regards, Stefan -----Original Message----- From: Giancarlo Razzolini [mailto:[EMAIL PROTECTED] On Behalf Of Giancarlo Razzolini Sent: Tuesday, September 02, 2008 7:24 PM To: Stefan Sczekalla Cc: misc@openbsd.org Subject: Re: question on nat behaviour .... Stefan Sczekalla escreveu: > I'm somewhat uncertain on how NAT behaves especially on nearly > concurrent rules. > > e.g. > > assumption: ( ext_if has two addresse e.g. 82.100.200.1 and and ALIAS > 82.100.200.2 ) > > nat pass on $ext_if form $internal_networks to 192.168.47.11 -> > 82.100.200.1 > nat pass on $ext_if form $internal_networks to any -> ( $ext_if ) > > ( how ) Can I bee sure that 192.168.47.11 will always be conncted from > 82.100.200.1 ? > > will PF behave differently when the oder of the rules is vice-versa ? > > Kind regards, > > Stefan > > > The pf.conf man page states this, when talking about the evalution of translation rules: "Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. binat rules are always evaluated first. Then either the rdr rules are evaluated on an inbound packet or the nat rules on an outbound packet. Rules of the same type are evaluated in the same order in which they appear in the ruleset. *The first matching rule decides what action is taken.*" Also, you are using the *pass* modifier. This means that, if a packet match the rule, it will not be processed further by filter rules. You must keep in mind that *every* packet that match a translation rule, will create an implicit state. If you take a look at the pf states with pfctl -ss -vvv, you can see the states and also to which ip address they translated to. This way you can ensure your rules are working correctly. But i don't recommend the use of the *pass* modifier unless you know exactly what you're doing. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
